Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Security Vulnerabilities in Baseboard Management Controllers Rampant, Research Finds

Joint research by Rapid7 and an independent security researcher has spotlighted vulnerabilities in embedded technology used to remotely manage servers known as baseboard management controllers [BMCs].

Joint research by Rapid7 and an independent security researcher has spotlighted vulnerabilities in embedded technology used to remotely manage servers known as baseboard management controllers [BMCs].

The Intelligent Platform Management Interface [IPMI] is a server management protocol that runs on the BMC. According to research by Rapid7’s HD Moore and security researcher Dan Farmer, both BMC and IPMI security is being challenged in ways many organizations may not have thought of.

“BMCs are often underappreciated and overlooked during security audits,” blogged Moore, chief security officer at Rapid7. “Like many embedded devices, they tend to respond slowly to tests and have a few non-standard network services in addition to web-based management.”

“The difference between a BMC and say, a printer, is what you get access to once it has been successfully compromised,” he explained. “The BMC has direct access to the motherboard of its host system. This provides the ability to monitor, reboot, and reinstall the host server, with many systems providing interactive KVM access and support for virtual media. In essence, access to the BMC is effectively physical access to the host system. If an attacker can not only login to the BMC, but gain root access to it as well, they may be able to directly access the i2c bus and Super I/O chip of the host system.”

Using a series of network probes sent on UDP port 623, the researchers identified IPMI systems and tested for various vulnerabilities. What they discovered was that roughly 308,000 IPMI-enabled BMCs are exposed to the IPv4 Internet; 195,000 of these devices only support IPMI 1.5, which does not provide any form of encryption; and 113,000 of these devices support IPMI v2.0, which suffers from serious design flaws.

In addition, of the 113,000 that support IPMI specification v2.0, 99,000 were confirmed to expose password hashes, while 53,000 were confirmed to be vulnerable to password bypass due to an encryption method known as Cipher 0 that bypasses the entire authentication process and allows IPMI commands from any source.

“The 53,000 BMCs that allow authentication via Cipher 0 are at immediate risk of compromise,” according to a paper detailing the researchers’ findings.” No exploit code is needed to manipulate these systems as the standard IPMI command-line tools provide the required functionality. An attacker could use the Cipher 0 weakness to configure a backdoor account with administrative privileges. This backdoor could be used to compromise the BMC and the connected server.”

The researchers also discovered 35,000 Supermicro BMCs expose an exploitable Universal Plug and Play (UPnP) service and are vulnerable to remote root compromise. An exploit module for this issue has been available in the Metasploit Framework since March. A root compromise of the BMC can lead to disclosure of clear-text passwords and unauthorized access to the connected server, according to the paper.

Advertisement. Scroll to continue reading.

Large enterprises should ensure that no IPMI-enabled BMCs are exposed to untrusted networks, and steps should be taken to disable Cipher 0 and set complex passwords, according to the paper. Hosting providers should immediately assess their systems and ensure no internal systems have IPMI exposed to the public network. 

“In addition to vulnerabilities in the IPMI protocol itself, most BMCs seem to suffer from issues common across all embedded devices, namely default passwords, outdated open source software, and, in some cases, backdoor accounts and static encryption keys,” blogged Moore. “The world of BMCs is a mess that is not likely to get better anytime soon, and we need to be crystal clear about the risk these devices pose to our networks.”

More on their findings can be found here

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.